We had quite a lively discussion a while ago about methods of making meterpreter payloads capable of bypassing AV.  I've been researching further and saw a nice write up of a technique that uses a DLL to write shellcode directly into an executable in memory.  When the executable's shellcode has been updated, it runs the shellcode.  This is the link to the article and accompanying code.  Has anyone else seen this?

I've managed to compile dummyApp.exe file and it's payloadLib.dll but the DLL fails miserably when trying to execute VirtualProtectEx.  The line of code that throws up an error is:


The error code is 487 - "ERROR_INVALID_ADDRESS"

I've seen that some of the code in the package needs some slight tweaks.  My system is Windows XP SP3 and DEP is enabled only for essential Windows programs and services.

Thank you in anticipation for any insight into how to get this fascinating technique to work.

EDIT: after a bit more reserarch

Thank you MaXe.

I see that they provide the software but I would like to know how things work and be able to compile then run the software myself!

Sure thing MaXe.  I think that everyone here likes the challenge of finding a problem and solving it ... or at least giving it a good thrashing before realising that it can't be solved!

I have made some progress with the code that I uncovered on packetstorm.